The guide for Obfuscation

No. This actually is false. It was not pure and there were still ways to steal Private Modules.

You should never add obfuscation to your game as with the mindset that it will improve security. Obfuscation will never make your script more secure sometimes even it might indirectly do the opposite.
Also it makes it a nightmare to debug your scripts and often the obfuscators custom lua vm will have some bugs which could also break your code. Obfuscators will make your script also much more laggy too.

You should only obfuscate your scripts if you are going to sell them though a better solution would be to license them. Obfuscation might temporarily protect your intellectual property from being leaked but it will not add any security.

This guide is rather outdated, Xen does not exist anymore and Luraph has been publicly cracked.

I have to disagree with this. Obfuscating a script hides the real source, which, even if very very insignificantly, still does increase the security. Never lowers it. You cannot compare clean code to vm obfuscated one and call them the same.

This is only true if you rely on obfuscation as your main defense line, however using it as a small extra obstacle for exploiters is fine (as long as you know what you’re doing and i. e. don’t obfuscate intensive stuff).

I actually know a few games which greatly benefit from obfuscating their most vital client stuff. Strucid anti cheat dev told me exploiters have a hard time bypassing his client-sided checks, because thanks to the obfuscation they don’t know how the checks work, and the malformed decompiler output doesn’t allow them to i. e. dump constants.

Granted, which is why (as I mentioned before) you have to be reasonable with what you obfuscate.
Also not that it really matters but some obfuscators let you preserve line info for errors, which let’s you debug them in the normal way.

I’ve only heard of 3 such bugs, 2 of which involved varargs. All have been patched and there haven’t been any new ones so far.

Sure they do lower the script’s efficiency, but not that greatly. Also again, they have to be used reasonably, like every other tool.

Obfuscation does not make any script more secure because the security vulnerabilities are still there. Sure it might make it harder for them to find them but it does not remove any the vulnerabilities.

Obscurity does not remove the problem it only tries to make it harder to get to get information about it.

There is no guarantee that obfuscation makes your script more secure.

Also attackers do not even have to solve the obfuscation as they can use tools like remote spy and use proxy variables in your code to analyse and interact with the script.

Obscurity as a form security have been ditched multiple times by security researchers as there is no proof that it increases real security. It might make the vulnerabilities more obscure but it does not make the code itself any more secure or remove any of the vulnerabilities. Also client side checks are 100% insecure as clients can edit all data on their computers.

I never understood this mindset. What’s wrong with a little more security? Obfuscation makes it harder for exploiters to read your scripts. Is that not a good thing?

Nobody said that obfuscation will make your script bullet proof, it’s just extra security. Also, I disagree with the client side checks. Yes, they aren’t as great as server sided checks but that doesn’t mean they’re completely useless. Again, I don’t see what’s wrong with a little extra security…

It’s such a great obfuscator, people use it all the time on my games lol.
Are there any known ways to deobfuscate code from Ironbrew?

Great guide! However I would like to point out that Synapse Xen was discontinued and Luraph was decompiled by bork so I mainly recommend ironbrew!

I’m not sure of the entire process of deobfuscating code from Ironbrew. A friend of mine who had Synapse X couldn’t even get the source code from it.

Ironbrew is a great obfuscator, in pretty much all aspects.

Continuing the discussion from The guide for Obfuscation:

People often think Obfuscated scripts are malicious. Say for example you are making a Hotel System, to sell to the public, but you don’t want your scripts stolen. Have your config in a Module Script, and then require a module. In that module, all of your obfuscated stuff exists.

If you don’t use a require module, and the scripts are like under the config, it is going to look very shady.

In that case use a real solution like adding an open-source license. With licensing you can guarantee nobody will touch it.

I understand obfuscating a bit of the frontend to make it a little harder for exploiters but obfuscating entire script systems to sell is obsolete imo.

Sell services, not goods.

Obscurity is not integrity, confidentiality, anonymity, or authenticity. It’s designed to hinder the performance and ability of decompilers. It’s not a defense approach, it’s a translation.

• Say you obfuscate the code which takes in unsanitized input, that doesn’t prevent the user from exploiting SQL injection, cross-site script attacks.
• Say you obfuscate some code using strcpy(), that shouldn’t prevent buffer overflows and control hijacking.
• If it actually does prevent the above situations, the original code logic has been changed. Which is not great for obfuscation.

If you’re going to implement a defense, it should aim to prevent specific attack vectors. Obfuscation aims to prevent decompiling, and shouldn’t be used to claim a game is secure from script executors. For security and the works, here’s this awesome topic.

As a programmer, I don’t see obfuscation as a good practice for development.
@xJxck_yy But cool topic, thanks for posting. Obfuscation seems to be quite popular on Roblox and despite the controversy on its use, it is interesting to discuss and talk about. I think a good addition to this would be a more in depth guide to how obfuscation works and achieves its goal.

Obfuscation is a very useful thing I’ve found in Roblox. Many people think it’s malicious as the principal uses of it are hiding backdoors.
I’ve seen many users say that it would be harder to debug. My solution would be to keep the script hidden and disabled in a folder in ServerStorage, that way you can disable the obfuscated code and then enable the non-obfuscated code and fix it.
This doesn’t makes your script exploit-proof, people can still use it but their source code is hard to crack.
Iron Brew is the best obfuscator.

Thanks for this tutorial, I’m thinking of selling some a few modules that let’s you set up datasystems and datastore easily.

My question is can people just copy the obfuscation code and pass it on? From what I understand the obfuscation just makes the code harder to read.

Does your system use licensing? With this, I mean does it connect to a form of database, such as MySQL.

Not yet, it’s not completed. I’m just confused on how obfuscation works.

You’re right. Obfuscation is just accomplishing the task that makes code hard to read for a user and a decompiler. If you’re giving out obfuscated code, it might be tricky for your consumers to read the code but they can redistribute the obfuscated code just the same.

I advertise against obfuscation in any development practice, but especially with marketing. If you plan on selling an obfuscated product, you’re going to lose value in the following ways.

• You’ll be selling the code functionality, but not code logic. In development, functionality and what the program should be accomplishing is going to change; only selling functionality will prevent consumer developers from adapting the script to fit future needs. This shifts all updates and maintenance of the script to you, where this now becomes a service.
• Developers cannot determine how the code works. This creates a trust system, trusting that you have no malicious code in the product and that you’ve employed secure, correct, and efficient methods in your script.

I apologize if this sounds at all negative, but that’s not the goal of this. I hope this can clear up some things, feel free to ask any questions. I do agree with some points of this thread and disagree with other ones. Let me know what you think about this.

It’s not security, it’s just a way to hide your potentially malicious code from script kiddies who have no idea what they’re doing. You can’t rely on it for all your security as most exploits can hook your functions. Although as @Amiaa16 has said, it’s not a bad thing to do with your already secure scripts as it may stop people who don’t know what they’re doing.

There’s a lot I should say about this. First is the status of these obfuscators

• Synapse Xen is discontinued as far as we’re aware of.
• Luraph is easily crackable now.
• Ironbrew 2 is discontinued, but V3 is in the works.

I don’t recommend all of these obfuscators as @T_eethyz has said.

Then the deobfuscation:

All obfuscators can be cracked depending on the person or company dealing with it / the complexity of the actual obfuscator. Like Luraph has been fully cracked by one guy but ALL obfuscators CAN be constant dumped, so I still don’t think you should ever use obfuscation to hide your variables as their values are all loaded and can be printed out. Even more advanced users can edit your variables without even deobfuscating your code. Let’s say you fully deobfuscate an obfuscator, you should be left with the script that has 0 debug information (no comments or variable names) but it is still readable just not as easy to read as before. So again, obfuscation should not be relied on as all of your codes “security”.

@xJxck_yy I totally get where you’re going at though and thanks for posting! I had fun typing out this response because I’m not doing a ton of things.

I hope this could have helped someone, and if you still have any questions don’t hesitate to reply to this or PM me.

heads up, ironbrew is open-source.
cough, well not really it got leaked so defcon decided to release it.